Solved: Cisco 877 router VPN no LAN Access

_Andre_B_ · ‎09-29-2011

I have spent a lot of time already trying to figure out why i can't reach the LAN behind the router when connecting through VPN , i figured it would be easier to ask people with more experience than me.

So here it goes, this is the config of a 877 adsl router with some ACLs defined for security and NAT/PAT , the VPN connects fine from the CIco VPN client however i cannot see anything on the LAN from the remote computer (e.g.: cannot ping the router or dns server on the LAN)

Also , from the router i cannot ping the remote VPN computer when connected.....I have tried a bunch of different things already but my cisco knowledge is limited so I'm hoping someone in this forum can sort this one out with little effort or change in this config...I have replaced ip addresses and passwords for obvious security reasons.

In a nutshell what is wrong/missing in this config that is not letting me reach the LAN when connected trough VPN?

Appreciate the help:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime
service password-encryption
!
hostname My877Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN local
aaa authorization exec default local
aaa authorization network VPN local
!
!
aaa session-id common
clock timezone CST 9 30
!
crypto pki trustpoint TP-self-signed-901674690
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-901674690
revocation-check none
rsakeypair TP-self-signed-901674690
!
!
crypto pki certificate chain TP-self-signed-901674690
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        quit
dot11 syslog
ip cef
!
!
ip inspect name _OUTBOUND_ tcp router-traffic
ip inspect name _OUTBOUND_ udp router-traffic
ip inspect name _OUTBOUND_ http
ip inspect name _OUTBOUND_ https
ip inspect name _OUTBOUND_ dns
ip inspect name _OUTBOUND_ icmp router-traffic
no ip domain lookup
ip domain name mydomain.com.au
ip name-server A.B.C.D
ip name-server x.y.z.w
!
password encryption aes
!
!
username admin privilege 15 secret 5 #$%^&*
username admin2 privilege 15 secret 5 #$%^&*
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp client configuration group VPN
key 6 #$%^&_)(*&^%$%^&*(&^$
dns 192.168.100.5
domain mydomain.com.au
pool VPN
acl 100
max-users 5
max-logins 1
netmask 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 11
set transform-set vpn1
reverse-route
!
!
crypto map dynmap client authentication list VPN
crypto map dynmap isakmp authorization list VPN
crypto map dynmap client configuration address initiate
crypto map dynmap client configuration address respond
crypto map dynmap 11 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-any VPN-traffic
match access-group 100
!
!
policy-map type inspect ccp-pol-outToIn
class type inspect VPN-traffic
inspect
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description LAN_INTERFACE
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description ADSL
ip address negotiated
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect _OUTBOUND_ out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname myuser@myisp.com
ppp chap password 7 76478678786
crypto map dynmap
!
ip local pool VPN 192.168.200.1 192.168.200.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.100.9 443 interface Dialer0 443
ip nat inside source static tcp 192.168.100.9 25 interface Dialer0 25
ip nat inside source static tcp 192.168.100.9 1352 interface Dialer0 1352
ip nat inside source static tcp 192.168.100.6 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.100.7 3389 interface Dialer0 3391
ip nat inside source static tcp 192.168.100.3 8443 interface Dialer0 8443
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 permit tcp any any eq 443 log
access-list 101 permit tcp any any eq smtp log
access-list 101 permit tcp any any eq 1352 log
access-list 101 permit tcp host A.B.C.D any log
access-list 101 permit tcp host x.y.z.w any log
access-list 101 permit tcp host r.t.g.u any log
access-list 101 permit udp any host x.x.x.x eq isakmp log
access-list 101 permit udp any host y.y.y.y eq non500-isakmp log
access-list 101 deny   ip any any log
access-list 102 deny   ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 log
access-list 102 permit ip 192.168.100.0 0.0.0.255 any log
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map nonat permit 11
match ip address 102
!
!
control-plane
!
banner motd ^C
Unauthorized Access Prohibited ! ^C
!
line con 0
exec-timeout 20 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input ssh
!
scheduler max-task-time 5000
sntp server x.x.x.x
sntp server y.y.y.y
end

My877Router#

Jennifer Halim · ‎10-05-2011

Doesn't look like there is anything being sent through the VPN tunnel. The decrypt counter is not increasing.

Can you please try to connect from a different ISP and see if that makes any difference?

Can you also try to connect from a different PC and see if that makes any difference?

The configuration on the router looks correct to me.

View solution in original post

Jennifer Halim · ‎09-29-2011

A few configurations are incorrect:

1) Split tunnel ACL 100 should be:

access-list 100 permit ip192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

2) The NAT needs to point towards the route-map, currently you have configured:

ip nat inside source list 1 interface Dialer0 overload

It needs to be modified as follows:

ip nat inside source route-map nonat interface Dialer0 overload

_Andre_B_ · ‎09-29-2011

Thanks Jennifer, I'll give this a go.

I have already tried :

"2) The NAT needs to point towards the route-map, currently you have configured:

ip nat inside source route-map nonat interface Dialer0 overload"

But that made the LAN loose internet connectivity , i guess traffic wasn't travelling back to the LAN, do I have to clear ip nat trans * , after adding that line?

Jennifer Halim · ‎09-29-2011

Yes, pls... please clear the NAT table after the changes.

_Andre_B_ · ‎09-30-2011

Hi Jennifer,

I followed your advice , entering the following commands:

no access-list 100 permit ip 192.168.200.0 0.0.0.255 any

access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

no ip nat inside source list 1 interface Dialer0 overload

ip nat inside source route-map nonat interface Dialer0 overload

clear ip nat trans *

However, that still broke the LAN connection to the internet, as I had previously found....even so I still could not ping the LAN when connected via VPN. I have taken these changes out of the config for now.

Jennifer Halim · ‎09-30-2011

Can you please try the following:

access-list 103 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 103 permit ip 192.168.100.0 0.0.0.255 any

ip nat inside source list 103 interface Dialer0 overload

I am assuming that you are trying to access the internet from 192.168.100.0/24 subnet, right?

_Andre_B_ · ‎09-30-2011

Hi Jennifer ,

I have tried your last post and although I can now get internet from the 192.168.100.0 LAN I still cannot get the VPN connected client to talk to the LAN....

Perhaps if I provide you some logging info it would be easier to troubleshoot, I'm just not sure which logging would give you the right info.

Thanks

Jennifer Halim · ‎09-30-2011

Can you ping the router inside interface: 192.168.100.1 from the VPN?

Also, what internal host are you trying to ping? Can you please try to ping a network device like a switch perhaps?

if you are trying to ping a Windows host/server, make sure that the Windows Firewall is turned off because they normally do not allow inbound connection from other subnets.

_Andre_B_ · ‎10-02-2011

Hi Jennifer,

I cant ping the router on its Lan interface....

I'm also trying to RDP/ping teh DNS server on the Lan and it is not working, but I can ping the DNS server (no windows firewall blocking ) if I RDP to another server (not using VPN ).

Jennifer Halim · ‎10-02-2011

That is strange...

Can you please temporarily remove ACL 101 from Dialer0 interface to test.

Also, can you please share the output of "show cry ipsec sa" after you try to ping.

Jennifer Halim · ‎10-02-2011

Also decrease the TCP MSS to a lower number before after the additional IPSec header, it will get increased to more than 1500 bytes causing fragmentation.

Please lower it to:

ip tcp adjust-mss 1400

_Andre_B_ · ‎10-03-2011

Jennifer ,

I tried the config changes you mentioned and still get the same results...when coming from VPN I cannot reach the LAN.

Here is the output of show cry ipsec sa ( ihave replaced the router external ip address and the remote client coming in from VPN).....

interface: Dialer0
Crypto map tag: dynmap, local addr x.x.x.x

   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.200.5/255.255.255.255/0/0)
   current_peer y.y.y.y port 58335
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0xE1A395CB(3785594315)

     inbound esp sas:
      spi: 0x94EAA97C(2498406780)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 31, flow_id: Motorola SEC 1.0:31, crypto map: dynmap
        sa timing: remaining key lifetime (k/sec): (4482066/86354)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xE1A395CB(3785594315)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 32, flow_id: Motorola SEC 1.0:32, crypto map: dynmap
        sa timing: remaining key lifetime (k/sec): (4482066/86354)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access2
Crypto map tag: dynmap, local addr x.x.x.x

   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.200.5/255.255.255.255/0/0)
   current_peer y.y.y.y port 58335
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0xE1A395CB(3785594315)

     inbound esp sas:
      spi: 0x94EAA97C(2498406780)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 31, flow_id: Motorola SEC 1.0:31, crypto map: dynmap
        sa timing: remaining key lifetime (k/sec): (4482066/86354)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xE1A395CB(3785594315)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 32, flow_id: Motorola SEC 1.0:32, crypto map: dynmap
        sa timing: remaining key lifetime (k/sec): (4482066/86354)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

This is the output before removing ACL 101 from Dialer 0 :

interface: Dialer0
Crypto map tag: dynmap, local addr x.x.x.x

   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.200.4/255.255.255.255/0/0)
   current_peer y.y.y.y port 50989
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x7A418A96(2051115670)

     inbound esp sas:
      spi: 0x1AF1C6A0(452052640)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 29, flow_id: Motorola SEC 1.0:29, crypto map: dynmap
        sa timing: remaining key lifetime (k/sec): (4379642/86363)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x7A418A96(2051115670)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 30, flow_id: Motorola SEC 1.0:30, crypto map: dynmap
        sa timing: remaining key lifetime (k/sec): (4379642/86363)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access2
Crypto map tag: dynmap, local addr x.x.x.x

   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.200.4/255.255.255.255/0/0)
   current_peer y.y.y.y port 50989
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x7A418A96(2051115670)

     inbound esp sas:
      spi: 0x1AF1C6A0(452052640)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 29, flow_id: Motorola SEC 1.0:29, crypto map: dynmap
        sa timing: remaining key lifetime (k/sec): (4379642/86363)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x7A418A96(2051115670)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 30, flow_id: Motorola SEC 1.0:30, crypto map: dynmap
        sa timing: remaining key lifetime (k/sec): (4379642/86363)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Jennifer Halim · ‎10-05-2011

Doesn't look like there is anything being sent through the VPN tunnel. The decrypt counter is not increasing.

Can you please try to connect from a different ISP and see if that makes any difference?

Can you also try to connect from a different PC and see if that makes any difference?

The configuration on the router looks correct to me.

oltjon.paskali · ‎10-10-2011

Can you try just to disable ip route-cache flow on your LAN interface. It worked for me because I was able to connect with VPN client but no ping with other ip address. Just no ip route-cache on your LAN interface

Good luck!

_Andre_B_ · ‎10-10-2011

Jennifer ,

You were right , for some reason the Telstra Next G card I was using to connect to this VPN was not working . When I switched to a computer on the LAN and connected I could ping the devices .....I few minor adjustments had to be made to NAT and ACL's ...here they are:

ip nat inside source static tcp 192.168.100.9 443 interface Dialer0 443

ip nat inside source static tcp 192.168.100.9 25 interface Dialer0 25

ip nat inside source static tcp 192.168.100.9 1352 interface Dialer0 1352

ip nat inside source list 103 interface Dialer0 overload

!

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 100 permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 permit tcp any any eq 443 log

access-list 101 permit tcp any any eq smtp log

access-list 101 permit tcp any any eq 1352 log

access-list 101 permit udp any host xxx.xxx.xxx.xxx eq isakmp log

access-list 101 permit udp any host XXX.XXX.XXX.XXX eq non500-isakmp log

access-list 101 deny ip any any log

access-list 102 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 log

access-list 102 permit ip 192.168.100.0 0.0.0.255 any log

access-list 103 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 103 permit ip 192.168.100.0 0.0.0.255 any

dialer-list 1 protocol ip permit

no cdp run

!

route-map nonat permit 11

match ip address 102

Thanks for the help